Anyone with access to your Wordpress admin can edit your theme or plugin files and insert their own malicious code, replace a template file into a PHP uploader and upload more files or change file permissions without your knowledge.